## Abstract

In tandem with recent progress on computing on encrypted data via fully homomorphic encryption, we present a framework for computing on *authenticated* data via the notion of slightly homomorphic signatures, or \(P\)-homomorphic signatures. With such signatures, it is possible for a third party to *derive* a signature on the object \(m'\) from a signature of \(m\) as long as \(P(m,m')=1\) for some predicate \(P\) which captures the “authenticatable relationship" between \(m'\) and \(m\). Moreover, a derived signature on \(m'\) reveals *no extra information* about the parent \(m\). Our definition is carefully formulated to provide one unified framework for a variety of distinct concepts in this area, including arithmetic, homomorphic, quotable, redactable, transitive signatures, and more. It includes being unable to distinguish a derived signature from a fresh one *even when given the original signature*. The inability to link derived signatures to their original sources prevents some practical privacy and linking attacks, which is a challenge not satisfied by most prior works. Under this strong definition, we then provide generic constructions for all univariate and closed predicates, and specific efficient constructions for a broad class of natural predicates such as quoting, subsets, weighted sums, averages, and Fourier transforms. To our knowledge, these are the first efficient constructions for these predicates (excluding subsets) that provably satisfy this strong security notion.

## Keywords

Authentication Homomorphic signatures Quotable signatures## Notes

### Acknowledgments

We are grateful to the anonymous reviewers of TCC 2012 and the Journal of Cryptology for their helpful comments.

## References

- 1.G. Ateniese, D.H. Chou, B. de Medeiros, G. Tsudik, Sanitizable signatures, in
*ESORICS ’05*. LNCS, vol. 3679 (2005), pp. 159–177Google Scholar - 2.N. Attrapadung, B. Libert, Homomorphic network coding signatures in the standard model, in
*Public Key Cryptography—PKC 2011*, vol. 6571 (2011), p. 17Google Scholar - 3.N. Attrapadung, B. Libert, T. Peters, Computing on authenticated data: New privacy definitions and constructions, in
*ASIACRYPT*(2012), pp. 367–385Google Scholar - 4.N. Attrapadung, B. Libert, T. Peters, Efficient completely context-hiding quotable and linearly homomorphic signatures, in
*Public Key Cryptography*(2013), pp. 386–404Google Scholar - 5.A. Beimel,
*Secure Schemes for Secret Sharing and Key Distribution*. PhD thesis, Israel Institute of Technology, Technion, Haifa, Israel (1996)Google Scholar - 6.M. Bellare, O. Goldreich, S. Goldwasser, Incremental cryptography: the case of hashing and signing, in
*CRYPTO ’94*. LNCS, vol. 839 (1994), pp. 216–233Google Scholar - 7.M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions, in
*EUROCRYPT*(2003), pp. 614–629Google Scholar - 8.M. Bellare, G. Neven, Transitive signatures based on factoring and RSA, in
*ASIACRYPT ’02*. LNCS, vol. 2501 (2002), pp. 397–414Google Scholar - 9.M. Bellare, G. Neven, Transitive signatures: new schemes and proofs.
*IEEE Transactions on Information Theory*,**51**:2133–2151 (2005)Google Scholar - 10.J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-based encryption, in
*IEEE Symposium on Security and Privacy*(2007), pp. 321–334Google Scholar - 11.M. Blum, A. De Santis, S. Micali, G. Persiano, Noninteractive zero-knowledge.
*SIAM J. Comput.*,**20**(6):1084–1118 (1991)Google Scholar - 12.D. Boneh, X. Boyen, Efficient selective-ID secure identity-based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT ’04*. vol. 3027 (2004), pp. 223–238Google Scholar - 13.D. Boneh, X. Boyen, H. Shacham, Short group signatures, in
*CRYPTO ’04*. LNCS, vol. 3152 (2004), pp. 45–55Google Scholar - 14.D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing.
*SIAM J. Comput.*,**32**(3) (2003)Google Scholar - 15.D. Boneh, D. Freeman, Homomorphic signatures for polynomial functions, in
*Proc. of Eurocrypt*. Cryptology ePrint Archive, Report 2011/018 (2011)Google Scholar - 16.D. Boneh, D. Freeman, Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures, in
*Proc. of PKC*. LNCS, Cryptology ePrint Archive, Report 2010/453. vol. 6571 (2011), pp. 1–16Google Scholar - 17.D. Boneh, D. Freeman, J. Katz, B. Waters, Signing a linear subspace: signature schemes for network coding, in
*Public-Key Cryptography—PKC ’09*. LNCS, vol. 5443 (Springer, Berlin, 2009), pp. 68–87Google Scholar - 18.D. Boneh, M. Hamburg. Generalized identity based and broadcast encryption schemes, in
*ASIACRYPT*. (2008), pp. 455–470Google Scholar - 19.C. Brzuska, H. Busch, O. Dagdelen, M. Fischlin, M. Franz, S. Katzenbeisser, M. Manulis, C. Onete, A. Peter, B. Poettering, D. Schröder, Redactable signatures for tree-structured data: definitions and constructions, in
*Applied Cryptography and Network Security (ACNS) ’08*. LNCS, vol. 6123 (2010), pp. 87–104Google Scholar - 20.C. Brzuska, M. Fischlin, T. Freudenreich, A. Lehmann, M. Page, J. Schelbert, D. Schröder, F. Volk, Security of sanitizable signatures revisited, in
*Public Key Cryptography*. LNCS, vol. 5443 (2009), pp. 317–336Google Scholar - 21.C. Brzuska, M. Fischlin, A. Lehmann, D. Schröder, Santizable signatures: how to partially delegate control for authenticated data, in
*BIOSIG 2009*(2009), pp. 117–128Google Scholar - 22.C. Brzuska, M. Fischlin, A. Lehmann, D. Schröder, Unlinkability of sanitizable signatures, in
*Public Key Cryptography (PKC) ’10*. LNCS, vol. 6056 (2010), pp. 444–461Google Scholar - 23.J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in
*Advances in Cryptology—CRYPTO ’04*. vol. 3152 (2004), pp. 56–72Google Scholar - 24.R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme, in
*EUROCRYPT*(2003), pp. 255–271Google Scholar - 25.E. Chang, C.L. Lim, J. Xu, Short redactable signatures using random trees, in
*CT-RSA ’09: Proceedings of the The Cryptographers’ Track at the RSA Conference 2009 on Topics in Cryptology*(2009), pp. 133–147Google Scholar - 26.D. Charles, K.J. K. Lauter, Signatures for network coding.
*International Journal of Information and Coding Theory*,**1**(1):3–14 (2009)Google Scholar - 27.M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn, Malleable signatures: complex unary transformations and delegatable anonymous credentials. Cryptology ePrint Archive, Report 2013/179 (2013). http://eprint.iacr.org/. Accessed 17 Mar 2014
- 28.D. Chaum, E. van Heyst, Group signatures, in
*EUROCRYPT*. LNCS, vol. 547 (1991), pp. 257–265Google Scholar - 29.B. Deiseroth, V. Fehr, M. Fischlin, M. Maasz, N.F. Reimers, R. Stein, Computing on authenticated data for adjustable predicates. Cryptology ePrint Archive, Report 2013/217 (2013). http://eprint.iacr.org/. Accessed 17 Mar 2014
- 30.W. Diffie, M. Hellman, New directions in cryptography.
*IEEE Transactions on Information Theory*,**22**:644–654 (1976)Google Scholar - 31.C. Fragouli, E. Soljanin,
*Network Coding Fundamentals*(Now Publishers Inc., Hanover, MA, 2007)Google Scholar - 32.R. Gennaro, J. Katz, H. Krawczyk, T. Rabin, Secure network coding over the integers, in
*Public Key Cryptography—PKC ’10*. LNCS, vol. 6056 (Springer, Berlin, 2010), pp. 142–160Google Scholar - 33.C. Gentry,
*A fully homomorphic encryption scheme*. PhD thesis, Stanford University (2009)Google Scholar - 34.O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions (extended abstract), in
*FOCS*(1984), pp. 464–479Google Scholar - 35.S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.
*SIAM J. Comput.*,**17**(2):281–308 (1988)Google Scholar - 36.S. Haber, Y. Hatano, Y. Honda, W. Horne, K. Miyazaki, T. Sander, S. Tezoku, D. Yao. Efficient signature schemes supporting redaction, pseudonymization, and data deidentification, in
*ASIACCS ’08*(2008), p. 353–362Google Scholar - 37.A. Hevia, D. Micciancio, The provable security of graph-based one-time signatures and extensions to algebraic signature schemes, in
*ASIACRYPT ’02*. LNCS, vol. 2501 (2002), pp. 379–396Google Scholar - 38.S. Hohenberger, B. Waters, Realizing hash-and-sign signatures under standard assumptions, in
*EUROCRYPT ’09*. LNCS, vol. 5479 (2009), pp. 333–350Google Scholar - 39.R. Johnson, D. Molnar, D. Song, D. Wagner, Homomorphic signature schemes, in
*CT-RSA*(Springer, Berlin, 2002), pp. 244–262Google Scholar - 40.M. Krohn, M. Freedman, D. Mazieres. On-the-fly verification of rateless erasure codes for efficient content distribution, in
*Proc. of IEEE Symposium on Security and Privacy*(2004), pp. 226–240Google Scholar - 41.A.B. Lewko, T. Okamoto, A. Sahai, K. Takashima, B. Waters. Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption, in
*EUROCRYPT*(2010)Google Scholar - 42.A.B. Lewko, B. Waters, New techniques for dual system encryption and fully secure HIBE with short ciphertexts, in
*TCC ’10*. LNCS, vol. 5978 (2010), pp. 455–479Google Scholar - 43.A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in
*CRYPTO*(2002), pp. 597–612Google Scholar - 44.
- 45.S. Micali, R.L. Rivest, Transitive signature schemes, in
*CT-RSA ’02*. LNCS, vol. 2271 (2002), pp. 236–243Google Scholar - 46.K. Miyazaki, G. Hanaoka, H. Imai, Digitally signed document sanitizing scheme based on bilinear maps, in
*ASIACCS ’06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security*(2006), pp. 343–354Google Scholar - 47.K. Miyazaki, M. Iwamura, T. Matsumoto, R. Sasaki, H. Yoshiura, S. Tezuka, H. Imai, Digitally signed document sanitizing scheme with disclosure condition control.
*IEICE Trans. Fundam.*,**E88-A**(1):239–246 (2005)Google Scholar - 48.K. Miyazaki, S. Susaki, M. Iwamura, T. Matsumoto, R. Sasaki, H. Yoshiura, Digital document sanitizing problem.
*IEICE Technical, Report*,**103**:61–67 (2003)Google Scholar - 49.D. Naccache, Is theoretical cryptography any good in practice? CHES 2010 invited talk (2010). www.iacr.org/workshops/ches/ches2010. Accessed 13 Jun 2012
- 50.G. Neven, A simple transitive signature scheme for directed trees.
*Theor. Comput. Sci.*,**396**(1–3):277–282 (2008)Google Scholar - 51.R. Rivest, Two signature schemes. Slides from talk given at Cambridge University (2000). http://people.csail.mit.edu/rivest/Rivest-CambridgeTalk.pdf. Accessed 13 Jun 2012
- 52.R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems.
*Commun. ACM*,**21**(2):120–126 (1978)Google Scholar - 53.R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret: theory and applications of ring signatures, in
*Essays in Memory of Shimon Even*(2006), pp. 164–186Google Scholar - 54.S.F. Shahandashti, M. Salmasizadeh, J. Mohajeri, A provably secure short transitive signature scheme from bilinear group pairs, in
*Security and Communication Networks*. LNCS, vol. 3352 (2005), pp. 60–76Google Scholar - 55.A. Shamir, On the generation of cryptographically strong pseudorandom sequences.
*ACM Trans Comput Syst*,**1**:38–44 (1983)Google Scholar - 56.N.P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in
*Public Key Cryptography—PKC ’10*. LNCS, vol. 6056 (Springer Berlin, 2010), pp. 420–443Google Scholar - 57.N. Smart. ECRYPT2 Yearly Report on Algorithms and Keysizes (2008–2009), Revision 1.0. Edited by Smart (2009). http://people.csail.mit.edu/rivest/Rivest-CambridgeTalk.pdf. Accessed 13 Jun 2012
- 58.R. Steinfeld, L. Bull, Y. Zheng, Context extraction signatures, in
*Information Security and Cryptology (ICISC)*. LNCS, vol. 2288 (2001), pp. 285–304Google Scholar - 59.M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in
*Advances in Cryptology—EUROCRYPT ’10*. LNCS, vol. 6110 (Springer, Berlin, 2010), pp. 24–43Google Scholar - 60.B. Waters, Efficient identity-based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT ’05*. vol. 3494 (2005), pp. 320–329Google Scholar - 61.B. Waters, Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions, in
*Advances in Cryptology—CRYPTO ’09*. vol. 5677 (2009), pp. 619–636Google Scholar - 62.B. Waters, Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization, in
*Public Key Cryptography—PKC ’11*(2011), pp. 53–70Google Scholar - 63.L. Wei, S.E. Coull, M.K. Reiter, Bounded vector signatures and their applications, in
*ASIACCS ’11*. (2011), pp. 277–285Google Scholar - 64.X. Yi, Directed transitive signature scheme, in
*CT-RSA ’07*. LNCS, vol. 4377 (2007), pp. 129–144Google Scholar - 65.F. Zhao, T. Kalker, M. Médard, K. Han, Signatures for content distribution with network coding, in
*Proc. Intl. Symp. Info. Theory (ISIT)*(2007)Google Scholar